Upload
phan-vuong
View
718
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
IT COMPLIANCE
Group 8: - Phan Dinh Vuong - Vuong Tat KhangInstructor: Prof.Dr.Martin Knahl
Compliance means?
Obey, follow the laws, rules, demands,etc.
Big Deal
Source: hotdeal.vn 18/08/2013
Question mark
Question 1: Can we export this successful model of “HOTDEAL” Service to Germany?
Question 2: If the “Hotdeal” service is at highest level of IT security (data protection, encryption, etc.). Would it be sufficient to export to Germany?
Question mark
1. Why IT Compliance.2. What is IT Compliance.3. Framework, standards,
practices4. How to Assess IT Compliance
5. Cost framework of IT Compliance6. Compliance Vs Non-Compliance.7. Practical Results from market research.
Main Points
ENRON Scandal 2001
THE BIG FOURONCE WAS THE BIG FIVE
Source: http://www.articula.us/blog/wp-content/uploads/2012/07/Big4Logos.jpghttp://cdn.list25.com/wp-content/uploads/2013/01/Slide79.jpg http://static1.businessinsider.com/image/4ae49adf0000000000a1ac51-1200/enron-broadband.jpg
BIG FOUR’S SECURITY SURVEY (IN 2006)
Source: Ernst & Young. 2006 Global Information Security Survey. Technical report, 2006. Available at http://www.ey.com/global/assets.nsf/International/TSRS_-_GISS_2006/$file/EY_GISS2006.pdf.
Trend 4
Trend 5
Trend 6
The impact of compliance continues to grow.
Compliance is promoting teaming between information security and other functional business groups.
Compliance is improving information security.
- Laws, rules and regulations (could be industry specific) - Considered as mandatoryExample: National Data Protection Acts, Informatic and liberty Law, Financial Security law, SOX, EUROSoX, Basel II, HIPPA,
- Standards, Frameworks and Security Practices.- Optimization perspectiveExample: ISO 9000, ISO 13335, ISO 17799:2005, ISO 2700x, COBIT, COSO etc.
Source: http://www.j4vv4d.com/wp-content/uploads/2011/10/secVcomp.jpghttp://www.redspin.com/blog/wp-content/uploads//2011/05/SECvsCOMP.png
Focus on validating of following the Rules
Static and slow to be updated
Focus on protection
Dynamic
IT Compliance types
Regulation Compliance• E.g. working 9ham – 5hpm,
VAT 10%
Legal (Law) Compliance• E.g:Killing people is against
the law
Industry-specific Compliance• Food, pharmacy industry law
suites
IT Compliance frameworks, standards, practices
SOX• Enhanced standards certify accuracy of
financial infoCOSO• Mgmt & governance critical aspects: risk
mgmt, fraud,etc.COBIT• Best practice Framework for IT Mgmt & IT
Governance
ISO 9000, ISO 2700x, etc.
Typical Information Security Compliance Assessement
Source: Tashi, Igli. (2009). Regulatory Compliance and Information Security. IEEE.
INTER-RELATIONSHIP
• Regulatory penalties.
• Brand damages.
• Loss of customer’s trust.
Source: http://learnatvivid.files.wordpress.com/2012/07/non_compliance_costs.jpg
Findings from Market research- Conduct independent research
on privacy, data protection and information security policy- Benchmark study 2011.
- 46 multinational companies - 160 functional leaders (CFO, CIO, etc).
IT Appliance Cost Framework
Source: Ponemon Institute| Benchmark Study | January 2011
Cost comparison
Compliance cost Vs Non-compliance cost?
IT Appliance Cost Framework
Source: Ponemon Institute| Benchmark Study | January 2011
IT Appliance Cost Framework
Source: Ponemon Institute| Benchmark Study | January 2011
WHAT AFFECTS COST OF COMPLIANCE & NON-COMPLIANCE?
•Industry & organizational size
•Laws & regulations are main drivers for investment
COMPLIANCE & NON-COMPLIANCE SUPPORT
•Effective security strategy Lower cost of non-compliance
•On-going internal Compliance audits reduce total cost of Compliance.
GAP BETWEEN COMPLIANCE & NON-COMPLIANCE COST
•Related to number of records lost or stolen in data breaches (break/compromise the laws)
10 EFFECTIVENESS ATTRIBUTES
1. Appoint high-level individual to lead compliance
2. Ensure over-sight compliance activities
3. Budget to meet goals, objectives
4. Cross-functional committee oversee local requirements
5. Implement metrics.
6. Senior executives receive critical reports, crisis level.
7. Reduce risk in business & threats of change.
8. Keep pace between changing workforce & security.
9. Secure business during the transition
10.Prevent attack to critical resources, info, infrastructure.
Summary1. Why IT Compliance.2. What is IT Compliance.3. Framework, standards,
practices4. How to Assess IT Compliance
5. Cost framework of IT Compliance6. Compliance Vs Non-Compliance.7. Practical Results from market research.
Q&A
THANK YOU!
REFERENCES
• Tashi, Igli. (2009). Regulatory Compliance and Information Security. IEEE.
• Ponemon Institute (2011). The True Cost of Compliance. Benchmark Study of Multinational Organizations.
• Big Four’s Security Survey: Ernst & Young. Global Information Security Survey, Technical report, 2006.